Snort not detecting 3306 traffic, but tcpdump on port 3306 DOES show traffic
by adrian-jaramillo from LinuxQuestions.org on (#5QMWA)
My scenario is:
Code:sudo tcpdump -i eth1 port 3306
This is the output...
Code:tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:15:50.075293 IP 10.0.0.11.49318 > 10.0.0.10.mysql: Flags [P.], seq 1887652760:1887652779, ack 4258656510, win 1002, options [nop,nop,TS val 3289466069 ecr 3780598465], length 19
18:15:50.075402 IP 10.0.0.10.mysql > 10.0.0.11.49318: Flags [.], ack 19, win 1016, options [nop,nop,TS val 3782532237 ecr 3289466069], length 0
18:15:50.146780 IP 10.0.0.10.mysql > 10.0.0.11.49318: Flags [P.], seq 1:160, ack 19, win 1016, options [nop,nop,TS val 3782532308 ecr 3289466069], length 159
18:15:50.147255 IP 10.0.0.11.49318 > 10.0.0.10.mysql: Flags [.], ack 160, win 1002, options [nop,nop,TS val 3289466141 ecr 3782532308], length 0In case you wonder, I executed a regular Code:show databases; command without problems, I got the results.
Ok so with that being said, we know the connection is working and traffic is being seen.
Here you have a netstat output to be even more sure:
Code:vagrant@servidor:/etc/snort$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp6 0 0 :::514 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::21 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 10.0.0.10:123 0.0.0.0:* -
udp 0 0 192.168.121.37:123 0.0.0.0:* -
udp 0 0 127.0.0.1:123 0.0.0.0:* -
udp 0 0 0.0.0.0:123 0.0.0.0:* -
udp6 0 0 fe80::5054:ff:fe47::123 :::* -
udp6 0 0 fe80::5054:ff:fedd::123 :::* -
udp6 0 0 ::1:123 :::* -
udp6 0 0 :::123 :::* -Next step, run Snort with a generic rule for detecting 3306 traffic. This is going to be the rule I will run:
Code:alert tcp any any -> $HOME_NET 3306 (msg:"mariadb traffic"; sid:29900)I run Snort like this:
Code:sudo snort -A console -q -i eth1 -c /etc/snort/snort.confFrom my attacker I'm running SQL commands, connecting and disconnecting, but nothing seems to generate alerts.
In case you need it, here you have my interfaces information:
Code:vagrant@servidor:/etc/snort$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:dd:10:a9 brd ff:ff:ff:ff:ff:ff
altname enp0s5
altname ens5
inet 192.168.121.37/24 brd 192.168.121.255 scope global dynamic eth0
valid_lft 2120sec preferred_lft 2120sec
inet6 fe80::5054:ff:fedd:10a9/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:47:ff:e4 brd ff:ff:ff:ff:ff:ff
altname enp0s6
altname ens6
inet 10.0.0.10/24 brd 10.0.0.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe47:ffe4/64 scope link
valid_lft forever preferred_lft foreverI've been stuck on this problem for several days and ran out of ideas. Any help is appreciated, since Snort should be detecting 3306 traffic but it isn't.
PS: other Snort rules I have are working properly, I only have issues when it comes to the 3306 port and with Snort specifically.
- Server with Snort, mariadb, etc
- Attacker (client)
Code:sudo tcpdump -i eth1 port 3306
This is the output...
Code:tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:15:50.075293 IP 10.0.0.11.49318 > 10.0.0.10.mysql: Flags [P.], seq 1887652760:1887652779, ack 4258656510, win 1002, options [nop,nop,TS val 3289466069 ecr 3780598465], length 19
18:15:50.075402 IP 10.0.0.10.mysql > 10.0.0.11.49318: Flags [.], ack 19, win 1016, options [nop,nop,TS val 3782532237 ecr 3289466069], length 0
18:15:50.146780 IP 10.0.0.10.mysql > 10.0.0.11.49318: Flags [P.], seq 1:160, ack 19, win 1016, options [nop,nop,TS val 3782532308 ecr 3289466069], length 159
18:15:50.147255 IP 10.0.0.11.49318 > 10.0.0.10.mysql: Flags [.], ack 160, win 1002, options [nop,nop,TS val 3289466141 ecr 3782532308], length 0In case you wonder, I executed a regular Code:show databases; command without problems, I got the results.
Ok so with that being said, we know the connection is working and traffic is being seen.
Here you have a netstat output to be even more sure:
Code:vagrant@servidor:/etc/snort$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp6 0 0 :::514 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::21 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 10.0.0.10:123 0.0.0.0:* -
udp 0 0 192.168.121.37:123 0.0.0.0:* -
udp 0 0 127.0.0.1:123 0.0.0.0:* -
udp 0 0 0.0.0.0:123 0.0.0.0:* -
udp6 0 0 fe80::5054:ff:fe47::123 :::* -
udp6 0 0 fe80::5054:ff:fedd::123 :::* -
udp6 0 0 ::1:123 :::* -
udp6 0 0 :::123 :::* -Next step, run Snort with a generic rule for detecting 3306 traffic. This is going to be the rule I will run:
Code:alert tcp any any -> $HOME_NET 3306 (msg:"mariadb traffic"; sid:29900)I run Snort like this:
Code:sudo snort -A console -q -i eth1 -c /etc/snort/snort.confFrom my attacker I'm running SQL commands, connecting and disconnecting, but nothing seems to generate alerts.
In case you need it, here you have my interfaces information:
Code:vagrant@servidor:/etc/snort$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:dd:10:a9 brd ff:ff:ff:ff:ff:ff
altname enp0s5
altname ens5
inet 192.168.121.37/24 brd 192.168.121.255 scope global dynamic eth0
valid_lft 2120sec preferred_lft 2120sec
inet6 fe80::5054:ff:fedd:10a9/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:47:ff:e4 brd ff:ff:ff:ff:ff:ff
altname enp0s6
altname ens6
inet 10.0.0.10/24 brd 10.0.0.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe47:ffe4/64 scope link
valid_lft forever preferred_lft foreverI've been stuck on this problem for several days and ran out of ideas. Any help is appreciated, since Snort should be detecting 3306 traffic but it isn't.
PS: other Snort rules I have are working properly, I only have issues when it comes to the 3306 port and with Snort specifically.